HOT TOPICS:

Minnesota lawmakers debate response to Target data breach

By Mike CroninAssociated Press

Posted:
02/25/2014 12:01:00 AM CST

Updated:
02/25/2014 08:10:16 PM CST

Objections to a bill that would expand the victim-notification process after a retail or wholesale business data breach were strident and frequent during a hearing Tuesday afternoon of the Minnesota House commerce committee.

State representatives also doubted the wisdom of penalties extended to businesses that incurred the data breach under the bill authored by Rep. Dan Schoen, DFL-St. Paul Park.

The proposed bill would require notifying, within 48 hours of the breach's discovery, individuals whose information appears to have been stolen. Victims of data theft also would be offered, within 30 days of the breach, free credit monitoring for one year. And if those responsible for the breach are retailers or wholesalers of consumer goods or services, they must give the victim a $100 gift card that is valid for at least one year.

"That's $11 billion Target would have to pay," said Rep. Greg Davids, R-Preston, referring to the gift-card provision if Schoen's bill were law during the massive data breach that Target officials discovered in December. "Those are job-killing gift cards."

Target reported in mid-December that financial information from up to 40 million shoppers was compromised during the holiday shopping season. The company then said in January that additional information may have been taken from up to 70 million other customers.

Advertisement

Schoen conceded that his gift-card idea was more a ploy to bring attention to restoring consumer confidence in the privacy of their personal information. He applauded Target's handling of the breach -- which included one year of free credit monitoring -- but said that cyber-incursion spurred the idea for his bill.

"I think we should fortify in statute one year of credit monitoring and encourage folks in business to do the right thing, which is protect our data," he said.

But many of his committee colleagues said businesses already are doing the right thing.

Rep. Sarah Anderson, R-Preston, asked whether the bill was redundant, saying what Schoen wants to codify already falls under the purview of the Minnesota attorney general.

Several lawmakers, including Rep. Kurt Zellers, R-Maple Grove, asked whether public entities also would be covered under Schoen's bill. Though Schoen emphasized repeatedly that an "even playing field" should exist between the private and public sectors, it remains unclear whether the legislation would include government agencies, said Andrew Biggerstaff, a Minnesota House legislative analyst. The question would be conclusively answered only if and when a court ruled on it, Biggerstaff said.

Meanwhile, in Washington, the U.S. House of Representatives' Committee on Oversight and Government Reform wants copies of messages and documents showing when Target learned of the data breach.

In a letter Tuesday to Target CEO Gregg Steinhafel, committee chairman Darrell Issa, R-Calif., said information the company provided to the Senate Judiciary Committee did not sufficiently clarify when Target executives knew they may have been the victim of a a cyber-attack.

Earlier this month, Target Chief Financial Officer John Mulligan testified before House and Senate committee hearings in Washington on the data breach, describing the timeline of Target's knowledge of the breach, the ongoing corporate and government investigations and remedies Target is proposing.